Dip Your Toes in the Sea of Security (CoderCruise 2017)
0 likes336 views
The document contains a presentation by James Titcumb at CoderCruise 2017, focusing on security practices for PHP applications. It outlines key concepts such as filtering input, escaping output, and preventing common vulnerabilities like SQL injection and cross-site scripting. The presentation emphasizes the importance of simplicity, risk awareness, and secure coding practices.
![@asgrim
Some simple PHP code...
<?php
$a = (int)filter_var($_GET['a'],
FILTER_SANITIZE_NUMBER_INT);
$b = (int)filter_var($_GET['b'],
FILTER_SANITIZE_NUMBER_INT);
$result = $a + $b;
printf('The answer is %d', $result);](https://image.slidesharecdn.com/170717-dipyourtoesintheseaofsecuritycodercruise2017-170713152522/85/Dip-Your-Toes-in-the-Sea-of-Security-CoderCruise-2017-4-320.jpg)
![@asgrim
SQL Injection (#1)
<?php
// user_id=1; DROP TABLE users; --
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = {$user_id}";
$db->execute($sql);
✘](https://image.slidesharecdn.com/170717-dipyourtoesintheseaofsecuritycodercruise2017-170713152522/85/Dip-Your-Toes-in-the-Sea-of-Security-CoderCruise-2017-19-320.jpg)
![@asgrim
SQL Injection (#1)
<?php
$user_id = $_GET['user_id'];
$sql = "
SELECT * FROM users
WHERE user_id = :userid";
$stmt = $db->prepare($sql);
$stmt->bind('userid', $user_id);
$stmt->execute();
✓](https://image.slidesharecdn.com/170717-dipyourtoesintheseaofsecuritycodercruise2017-170713152522/85/Dip-Your-Toes-in-the-Sea-of-Security-CoderCruise-2017-20-320.jpg)
![@asgrim
Cross-Site Request Forgery / CSRF (#8)
<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}](https://image.slidesharecdn.com/170717-dipyourtoesintheseaofsecuritycodercruise2017-170713152522/85/Dip-Your-Toes-in-the-Sea-of-Security-CoderCruise-2017-27-320.jpg)
![@asgrim
<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}
Cross-Site Request Forgery / CSRF (#8)](https://image.slidesharecdn.com/170717-dipyourtoesintheseaofsecuritycodercruise2017-170713152522/85/Dip-Your-Toes-in-the-Sea-of-Security-CoderCruise-2017-28-320.jpg)
![@asgrim
Cross-Site Request Forgery / CSRF (#8)
<?php
if (!$isPost) {
$csrfToken = base64_encode(random_bytes(32)));
$_SESSION['csrf_token'] = $csrfToken;
// ... output the form ...
echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />';
} else if ($isPost) {
if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die("Token invalid...");
}
// ... handle the form ...
}](https://image.slidesharecdn.com/170717-dipyourtoesintheseaofsecuritycodercruise2017-170713152522/85/Dip-Your-Toes-in-the-Sea-of-Security-CoderCruise-2017-29-320.jpg)
Dip Your Toes in the Sea of Security (CoderCruise 2017)
- 1. @asgrim Dip Your Toes in the (Caribbean) Sea of Security James Titcumb CoderCruise 2017
- 3. @asgrim
- 4. @asgrim Some simple PHP code... <?php $a = (int)filter_var($_GET['a'], FILTER_SANITIZE_NUMBER_INT); $b = (int)filter_var($_GET['b'], FILTER_SANITIZE_NUMBER_INT); $result = $a + $b; printf('The answer is %d', $result);
- 5. @asgrim
- 7. @asgrim The Golden Rules (my made up golden rules)
- 8. @asgrim 1. Keep it simple
- 9. @asgrim 2. Know the risks
- 11. @asgrim 4. Don’t reinvent the wheel
- 12. @asgrim 5. Never trust anything
- 13. @asgrim OWASP & the OWASP Top 10 https://www.owasp.org/
- 14. @asgrim Application Security (mainly PHP applications)
- 15. @asgrim Always remember… Filter Input Escape Output
- 16. @asgrim © 2003 Disney/Pixar. All Rights Reserved. SQL Injection (#1)
- 19. @asgrim SQL Injection (#1) <?php // user_id=1; DROP TABLE users; -- $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = {$user_id}"; $db->execute($sql); ✘
- 20. @asgrim SQL Injection (#1) <?php $user_id = $_GET['user_id']; $sql = " SELECT * FROM users WHERE user_id = :userid"; $stmt = $db->prepare($sql); $stmt->bind('userid', $user_id); $stmt->execute(); ✓
- 21. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
- 22. @asgrim exec($_GET) https://github.com/search?q=exec%28%24_GET&ref=cmdform&type=Code
- 24. @asgrim Cross-Site Scripting / XSS (#3) © 2003 Disney/Pixar. All Rights Reserved.
- 25. @asgrim Cross-Site Scripting / XSS (#3) <?php $unfilteredInput = '<script type="text/javascript">...</script>'; // Unescaped - JS will run :'( echo $unfilteredInput; // Escaped - JS will not run :) echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
- 26. @asgrim Cross-Site Request Forgery / CSRF (#8) http://www.factzoo.com/invertebrates/cuttlefish-chameleon-of-the-sea.html
- 27. @asgrim Cross-Site Request Forgery / CSRF (#8) <?php if (!$isPost) { $csrfToken = base64_encode(random_bytes(32))); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) { die("Token invalid..."); } // ... handle the form ... }
- 28. @asgrim <?php if (!$isPost) { $csrfToken = base64_encode(random_bytes(32))); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) { die("Token invalid..."); } // ... handle the form ... } Cross-Site Request Forgery / CSRF (#8)
- 29. @asgrim Cross-Site Request Forgery / CSRF (#8) <?php if (!$isPost) { $csrfToken = base64_encode(random_bytes(32))); $_SESSION['csrf_token'] = $csrfToken; // ... output the form ... echo '<input type="hidden" name="csrf_token" value="'.$csrfToken.'" />'; } else if ($isPost) { if (hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) { die("Token invalid..."); } // ... handle the form ... }
- 30. @asgrim Timing attacks // From zend_is_identical: return (Z_STR_P(op1) == Z_STR_P(op2) || (Z_STRLEN_P(op1) == Z_STRLEN_P(op2) && memcmp(Z_STRVAL_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op1)) == 0));
- 31. @asgrim Timing attacks Actual string: “foobar” ● a (0.00001) ● aa (0.00001) ● aaa (0.00001) ● aaaa (0.00001) ● aaaaa (0.00001) ● aaaaaa (0.00002) ← success! ● aaaaaaa (0.00001) ● aaaaaaaa (0.00001) ● aaaaaaaaa (0.00001)
- 32. @asgrim Timing attacks 1 int memcmp(const void* s1, const void* s2,size_t n) 2 { 3 const unsigned char *p1 = s1, *p2 = s2; 4 while(n--) 5 if( *p1 != *p2 ) 6 return *p1 - *p2; 7 else 8 p1++,p2++; 9 return 0; 10 } http://clc-wiki.net/wiki/C_standard_library:string.h:memcmp#Implementation
- 33. @asgrim Timing attacks Actual string: “foobar” ● “aaaaaa” (0.00001) ● “baaaaa” (0.00001) ● … ● “faaaaa” (0.00002) ← success! ● “fbaaaa” (0.00002) ● “fcaaaa” (0.00002) ● … ● “foaaaa” (0.00003) ← success!
- 34. @asgrim Sensitive Data Exposure (#6) © 2003 Disney/Pixar. All Rights Reserved.
- 35. @asgrim Sensitive Data Exposure (#6)
- 36. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
- 37. @asgrim curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); ✘
- 38. @asgrim curl + https <?php curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($ch, CURLOPT_CAINFO, "/path/to/certificate"); ✓
- 39. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
- 41. @asgrim Third Party Code !!! WARNING !!!
- 42. @asgrim Third Party Code github.com/ /SecurityAdvisories !!! WARNING !!!
- 44. @asgrim
- 45. @asgrim We are not all security experts!
- 46. @asgrim We are not all security experts! … but we CAN write secure code
- 47. @asgrim Hack your own system! © 2003 Disney/Pixar. All Rights Reserved.
- 48. @asgrim What do you want? Think like a hacker
- 49. @asgrim How do you get it? Think Differently
- 50. @asgrim Threat Modelling D.R.E.A.D. © Buena Vista Pictures
- 51. @asgrim Threat Modelling Damage R E A D © Buena Vista Pictures
- 52. @asgrim Threat Modelling Damage Reproducibility E A D © Buena Vista Pictures
- 53. @asgrim Threat Modelling Damage Reproducibility Exploitability A D © Buena Vista Pictures
- 54. @asgrim Threat Modelling Damage Reproducibility Exploitability Affected users D © Buena Vista Pictures
- 55. @asgrim Threat Modelling Damage Reproducibility Exploitability Affected users Discoverability © Buena Vista Pictures
- 56. @asgrim Rank them in order And fix them! © Buena Vista Pictures
- 59. @asgrim Case Study: Custom Authentication We thought about doing this…
- 60. @asgrim Case Study: Custom Authentication We thought about doing this…
- 61. @asgrim Case Study: Custom Authentication We thought about doing this… ✘
- 62. @asgrim Password Hashing password_hash() (basically, bcrypt with proper salt)
- 64. @asgrim
- 67. @asgrim
- 68. @asgrim CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN”
- 69. @asgrim CRYPTOGRAPHY IS HARD NEVER EVER “ROLL YOUR OWN” EVER!!!
- 70. @asgrim How to encrypt then?
- 71. @asgrim I’ve got some great ideas for encryption... Image: IBTimes (http://goo.gl/zPVeo0)
- 72. @asgrim How to encrypt then? libsodium PECL package
- 74. @asgrim Create an SSH Fortress
- 76. @asgrim iptables #!/bin/bash IPT="/sbin/iptables" $IPT --flush $IPT --delete-chain $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Loopback $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Inbound traffic $IPT -A INPUT -p tcp --dport ssh -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -p tcp --dport 443 -j ACCEPT # Outbound traffic $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
- 78. @asgrim ufw sudo ufw enable sudo ufw allow 22 sudo ufw allow 80
- 79. @asgrim Mitigate Brute Force Attacks
- 80. @asgrim Install Only What You Need
- 81. @asgrim © 2003 Disney/Pixar. All Rights Reserved.
- 82. @asgrim +
- 83. @asgrim Case Study: Be Minimal Internets Postfix Squid Proxy (badly configured) hacker spam
- 84. @asgrim Resources ● http://securingphp.com/ ● https://www.owasp.org/ ● http://blog.ircmaxell.com/ ● https://github.com/paragonie/random_compat ● https://github.com/ircmaxell/password_compat ● https://paragonie.com/blog ● https://websec.io/resources.php ● https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04 ● https://www.kali.org/
- 85. @asgrim The Golden Rules 1. Keep it simple 2. Know the risks 3. Fail securely 4. Don’t reinvent the wheel 5. Never trust anything / anyone
- 86. @asgrim If you follow all this, you get...
- 87. @asgrim If you follow all this, you get...